Multiple Security Strings How To Guide
Contents
Overview
Swivel allows multiple One Time Code or security strings to be sent by different transports. Each of the security strings must be used in order. With Swivel 3.6 a new feature was introduced to tell the user which security string to use for authentication. The user would typically enter their username, and click on a button to find which index number should be used. The corresponding security string should be used for calculating the One Time Code.
For multiple security strings used within the Mobile Apps see Mobile Security String Index
Prerequisites
Swivel 3.6 onwards
Dual Channel String Index
Configuring the Swivel server for Dual Channel Index
Select the required transport and set the required number of security strings to be sent to the user.
Note: For SMS delivery, there is a maximum number of characters SMS message can transmit in one text. If a long header is used then this may reduce the number of Security strings. Typically 1 SMS message can carry 4 Security Strings or 10 security strings across 2 SMS messages. Usually the mobile phone reassembles SMS messages into one message.
It is possible to have differing transports for different groups of users with differing numbers of security strings or One Time Codes.
Allow session request by Username for Dual Channel Communication
Configuring the Access Device for Dual Channel Index
Dual Channel Index Image
The access device must be modified to tell the user which security string is required and is known as the 'Security String Index'. This is a number or an image served from the Swivel server. The request of the Security String Index is similar to a Single Channel image request such as TURing, and appropriate proxies or a NAT needs to be put in place to request this from the Swivel server.
The Security String Index request is in the following format:
For a Swivel virtual or hardware appliance:
https://IP:8443/proxy/DCIndexImage?username= Example https://196.168.0.35:8443/proxy/DCIndexImage?username=graham
For a Software install:
http://IP:8080/pinsafe/DCIndexImage?username= Example http://196.168.0.35:8080/pinsafe/DCIndexImage?username=graham
Dual Channel Index Number
Instead of an Image the number can be directly requested and displayed. Replace DCIndexImage with DCIndex
Example https://196.168.0.35:8443/proxy/DCIndex?username=graham
Testing for Dual Channel Index
The Security String Index number should be displayed when requested, starting with 00, and then sequentially increasing for each authentication attempt, until the maximum number has been reached, whereby it will start again at 00.
Example 00: 
Example 11: 
The user should login with their OTC corresponding with the OTC in the format nnnn, example: 2168. The security string index is not required to be entered, but will be accepted if entered in the format nnnn-00, nnnn-01, nnnn-03..,
Token Security String Index
From Swivel version 3.9 onwards, the next expected mobile client security string can be displayed using the TokenIndexImage or TokenIndex
Configuring the Access Device for Token Index
Token Index Image
The access device must be modified to tell the user which security string is required and is known as the 'Security String Index'. This is a number or an image served from the Swivel server. The request of the Security String Index is similar to a Single Channel image request such as Turing, and appropriate proxies or a NAT needs to be put in place to request this from the Swivel server.
The Security String Index request is in the following format:
For a Swivel virtual or hardware appliance and for a Software install (the Swivel does not currently support this feature, and so will not work on 8443/proxy):
http://IP:8080/pinsafe/DCIndexImage?username= Example http://196.168.0.35:8080/pinsafe/TokenIndexImage?username=graham
Token Index number
Instead of an Image the number can be directly requested and displayed. Replace DCIndexImage with DCIndex
Example https://196.168.0.35:8080/pinsafe/TokenIndex?username=graham
Known Problems
Swivel 3.6 and 3.7, The DCIndex and DCIndexImage do not produce a log entry.
Swivel version 3.10, 3.10.1, 3.10.2 the multiple security strings does not work in these versions, the first string works, but the subsequent strings fail. These issues are fixed in 3.10.3 and updated versions of these releases.
Troubleshooting
Check the Swivel logs for any error messages.
Verify that a single Channel image can be received at the login by using the SCImage?username= request.
